In recent years, the number of cases where an industrial control system is connected to a network has increased in the industrial control system, so that the number of cases where the system becomes a target of a cyber attack has increased. The following methods have been adopted in the industrial control system in order to detect intrusion into the network by the cyber attack.
A conventional intrusion detection system defines a communication where a pair of a transmission destination address and a transmission source address, a protocol, and so on are permitted, using that network communication in the industrial control system is static. Then, the intrusion detection system sets a communication other than the permitted communication to be abnormal, thereby taking a countermeasure of a white-list type to detect intrusion of an unknown attack as well (see Patent Documents 1 and 2).
There has also been proposed a method of defining a communication sequence to be permitted and managing a communication state of being unconnected, being under communication, being subject to an abnormality process or the like in each communication sequence (see Patent Literature 2).
There has also been proposed a method of defining an application whose communication is to be permitted, thereby detecting network intrusion by execution of an unauthorized program (see Patent Literature 3).